2023-09-28 Meeting notes



Discussion items


Anything Urgent? Review the Kanban board?Team

Nothing in the expedite column.

We need to create a new dev Team in JIRA for the team responsible for edge-courses.

Hardcoded System User CredentialsTeam

From Julian in slack:

We still have modules that ship with default system users with hardcoded username and a hardcoded password. In all modules the sysop can configure a different username and a different password, however, it's possible that it's forgotten or that the config has a typo. GDPR requires security by default. A module should fail at startup when username or password configuration is missing. Then the user interface is forgiving and doesn't create an unintended security hole.


  • Do JIRAs exist for the modules which still have default username/passwords? 
    • Not yet.
  • How many are we talking about here?  is it 1? 2? 8+?
    • Julian guesses it's probably around 8 or so.

Board / Snyk configuration


Suggestion from Jakub Skoczen last week was to drop mod-reservoir from the security board (possibly snyk too) since it isn't part of the Folio flower releases.  Are there any others we should consider as well?  Do we have a policy (or even an opinion) on this?  

  • Upon additional thinking, we feel that doing this would significantly reduce our visibility into security vulnerabilities in these modules.  Let's leave it as is for now, and if it becomes a problem we can revisit.
  • Julian Ladisch pointed out that if the project does adopt the application formalization approach currently being discussed, there's a chance that modules like this may be used as "extended" applications even if not formally part of a flower release.  Therefore we need to stay on top of vulnerably, etc.

Refresh token rotationTeam
  • Regarding the environment variable which allows the legacy endpoints to be disabled, what is the default behavior?  
    • The Security Team's recommendation is that the endpoints are disabled by default, but hosting providers/system-operators can enabled them if needed.
    • Craig McNally will raise this at the TC meeting next Monday.
  • The TC has agreed on a transition period where both legacy and new endpoints will co-exist.  There will be more conversation about which release removes the legacy endpoints altogether at the TC meeting on .

Update on Node 18 upgrade

Support period for the last LTS (16) was shortened, which means the need to move to node 18 has come sooner than anticipated.  See FOLIO-3870 - Getting issue details... STATUS for progress.  Almost all components have been updated, only a few remain.

Action items